The GlobalSign PDF at https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf has LTV with no changes permitted, so it must be possible somehow.
I did some deeper digging on Stack Overflow and found https://stackoverflow.com/questions/38856382/ltv-of-certifying-signatures, which states it's possible to enable LTV by "Embedding the crl bytes & ocsp response in the signature at signing time". I'll look more closely at this before posting my own question. Thanks! On 2020/06/24 04:24:25, Tilman Hausherr <thaush...@t-online.de> wrote: > Hi, > > I don't know if this is possible. My understanding would be "no". You > should ask this on stackoverflow too. > > Adding LTV before signing - I have some doubt too, because you would get > the revocation list / the OCSP response before doing the signing. In > theory, a certificate could be revoked in the meantime. So this doesn't > feel right. > > Tilman > > Am 24.06.2020 um 05:24 schrieb Chris Parton: > > I have one more question. Completely understand if you've got more > > important things to do though :) > > > > Adding LTV to my PDF invalidates my certificate when the MDP permission is > > set to 1 (no changes permitted). > > > > At the moment I'm signing the PDF using CreateSignature, then adding LTV in > > a separate run of AddValidationInformation. My hunch is that the > > double-saving of the PDF is causing the issue. > > > > If you have any thoughts they would be appreciated. In the meanwhile I'll > > be trying to sign and add LTV before saving the PDF. > > > > If it's any use, I've uploaded unsigned, signed, and LTV signed PDFs to > > this public Drive folder: > > https://drive.google.com/drive/folders/15uY98ZJYDnpJCtjf2LTheFg4Zu75BBIY?usp=sharing. > > signed_with_ltv.pdf is the problematic file. > > > > Thanks, > > Chris > > > > On 2020/06/23 18:04:19, Tilman Hausherr <thaush...@t-online.de> wrote: > >> Another problem is that the "highest" certificate does not have an URL > >> to download the root. So I can't get that one. > >> > >> A solution would be that you change the code so that you keep a set of > >> certificates that you trust and look there when one is missing. > >> > >> Tilman > >> > >> Am 23.06.2020 um 19:00 schrieb Tilman Hausherr: > >>> Hi, > >>> > >>> Yeah, the log output is confusing, I'll improve it slightly to output > >>> what it was searching for. I ran ShowSignature and it's the root > >>> certificate that is missing in the chain. > >>> > >>> Tilman > >>> > >>> Am 23.06.2020 um 14:59 schrieb Chris Parton: > >>>> Hi all, I'm trying to use the example AddValidationInformation[1] > >>>> class to add LTV to an existing signed PDF. I've tried with a signed > >>>> PDF of my own, and a sample GlobalSign[2] PDF. > >>>> > >>>> In both cases, I get the same error, and a 0kb PDF generated. Logs[4] > >>>> are at the bottom of this post. > >>>> > >>>> Steps to reproduce: > >>>> 1. git clone g...@github.com:apache/pdfbox.git > >>>> 2. cd pdfbox/examples > >>>> 3. mvn clean install > >>>> 4. Open pdfbox project in IntelliJ > >>>> 5. Run AddValidationInformation class, with the downloaded > >>>> GlobalSign pdf as a program argument > >>>> > >>>> The GlobalSign PDF has LTV enabled already, but I get the same error > >>>> on my own document which doesn't have LTV. For my own document, I can > >>>> enable LTV via Adobe Acrobat's UI[3], which makes me think the > >>>> document itself is fine. > >>>> > >>>> Can anybody shed some light on why this might be happening? The > >>>> recursive traverseChain() method seems to spin until it hits the end > >>>> of the certificate chain, and continues to look for an issuer cert. > >>>> > >>>> Thanks so much, I appreciate your help! Let me know if you need any > >>>> more information and I'll do my best to provide it. > >>>> > >>>> [1] > >>>> https://github.com/apache/pdfbox/blob/2.0.20/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java > >>>> > >>>> [2] > >>>> https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf > >>>> > >>>> [3] > >>>> https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable > >>>> > >>>> [4] App logs > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> getAlternativeIssuerCertificate > >>>> INFO: Get alternative issuer certificate from: > >>>> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> getAlternativeIssuerCertificate > >>>> INFO: Get alternative issuer certificate from: > >>>> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> getAlternativeIssuerCertificate > >>>> SEVERE: Error getting alternative issuer certificate from > >>>> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt > >>>> java.io.IOException: No Issuer Certificate found for Cert: > >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588) > >>>> > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> traverseChain > >>>> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for > >>>> AATL, O=GlobalSign nv-sa, C=BE > >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> getAlternativeIssuerCertificate > >>>> SEVERE: Error getting alternative issuer certificate from > >>>> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt > >>>> java.io.IOException: No Issuer Certificate found for Cert: > >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588) > >>>> > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> traverseChain > >>>> INFO: Found the right Issuer Cert! for Cert: > >>>> EMAILADDRESS=market...@globalsign.com, CN=Marketing, O="GMO > >>>> GlobalSign, Inc.", L=Portsmouth, ST=New Hampshire, C=US > >>>> CN=GlobalSign CA 2 for AATL, O=GlobalSign nv-sa, C=BE > >>>> Jun. 23, 2020 10:51:19 PM > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >>>> traverseChain > >>>> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for > >>>> AATL, O=GlobalSign nv-sa, C=BE > >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >>>> Exception in thread "main" java.io.IOException: No Issuer Certificate > >>>> found for Cert: CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign > >>>> nv-sa, C=BE > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108) > >>>> at > >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588) > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > >>>> For additional commands, e-mail: users-h...@pdfbox.apache.org > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > >>> For additional commands, e-mail: users-h...@pdfbox.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > >> For additional commands, e-mail: users-h...@pdfbox.apache.org > >> > >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > > For additional commands, e-mail: users-h...@pdfbox.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: users-h...@pdfbox.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org